W.H. cyber policy on slow track in wake of Chinese hackers

President Barack Obama’s high-profile cybersecurity order last week faces a brutal reality with news of the latest case of Chinese cyber espionage: The U.S. government has work to do to keep up with the attackers.

The federal government is slow, the regulations are voluntary and cyber defenses at this point aren't yet up to snuff. Substantive changes may move at a snail’s pace in comparison with the rate at which new, sophisticated attacks are coming to light.

Text Size

-

+

reset

For example, it’s going to be many months before the government determines how to share intelligence with companies caught in hackers’ cyber cross hairs. It’s going to take at least a year — if not more — before Washington can articulate the improvements it hopes to see from power plants, the financial system and other forms of critical infrastructure. And any additional cybersecurity work on Capitol Hill won't happen instantly.

“We didn’t get here overnight, and we’re not going to get ourselves out of this situation overnight,” said Michael Daniel, the White House’s lead cybersecurity adviser, at an event last week.

“We can’t do it without those stakeholders; we recognize we have to invest the time,” he said, noting the goal is “striking a balance between moving at the normal federal government speed” and the need for prompt action.

If anything, the slow wheels of the federal bureaucracy contrast greatly with the swift tidal wave of new stories and revelations about cyberattacks from China and elsewhere.

The new findings from the security firm Mandiant, first reported by The New York Times, revealed a coordinated operation targeting top companies like Coca-Cola for their key business secrets and intellectual property. More importantly, Mandiant reaffirmed accusations that China’s digital spies increasingly are taking aim at the nation’s power grid and other, equally critical and sensitive U.S. systems.

And the attacks are hitting across the spectrum. The latest to step forward: Apple acknowledged Tuesday an unrelated cyberattack targeting employee computers — the same sort of exploit that last week impacted Facebook, and possibly countless others. In both instances, no user data had been stolen.

The order — issued last Tuesday after Congress failed repeatedly in 2012 to pass a law — aims to improve the digital defenses at the nation’s critical infrastructure through new, voluntary cyber standards developed with industry input. The feds also hope to facilitate a public-private exchange of threat data.

Ideally, the government has 120 days from the order’s signing to issue instructions for how it might share unclassified data with companies under cyberattack. It has the same amount of time — roughly four months — to put in place procedures to share classified cybersecurity intelligence with critical infrastructure.